Third (3rd) Party Network Access Request Form – V1.2 Instructions: Read these policies and terms carefully. Sign and completed the section on page 3 indicating your agreement. Please note that both the end-user and the sponsoring Pacific unit/department must agree to these terms and conditions Third Party Network Access Request Service This document outlines a service for accessing the University of the Pacific’s network, PacificNet, by means of a direct PacificNet network connection, or Virtual Private Network (VPN) connection, within the Remote Access Policy of the University. The Remote Access Policy states: Remote access to the University will be appropriately provisioned and/or controlled to ensure required security. Definitions Virtual Private Network (VPN): A VPN creates a secure connection, called a tunnel, between a client computer and a VPN server. This connection is usually made over the Internet and, in that case, has the effect of extending PacificNet to remote users. Once connected, a user may access files and/or applications stored on central servers just as if the user’s machine was connected directly to PacificNet on any Pacific campus. If a VPN is used on campus, the effect is to create an encrypted connection across PacificNet. rd Third (3 ) Party: Refers to an affiliate or individual/entity from a vendor/agency requesting data/services access. Service Terms and Conditions rd Approved 3 Parties may connect to PacificNet either directly from an on-campus computer or remotely via VPN. Approvals must be obtained from rd the appropriate management at the Director level and above. The University Security Office must approve direct network access of 3rd Parties. 3 Party Network Access Request forms can be found on the OIT website. Requestors must have a demonstrated academic or business need to connect securely and/or to appear as a part of PacificNet. Use of this service in the performance of activities unrelated to the mission of the University is strictly prohibited. VPN is a user-managed service, which means that off-campus users of this technology are responsible for selecting an Internet Service Provider (ISP), coordinating installation with their ISP of any required software, and paying associated fees. Additionally, 1. It is the responsibility of those with VPN privileges to prevent unauthorized access to PacificNet from their VPN connected computer. 2. Users will be authenticated through their PacificNet ID and password. 3. All computers connected to PacificNet must: a. Use the most current anti-virus protection. b. Keep computers updated with the latest critical operating systems patches c. Use compatible firewall protection. More information regarding Cisco compatible firewalls are also listed on this site. d. Not bridge PacificNet to another network using this VPN connection. 4. When remotely connected to PacificNet via VPN, off-campus users agree that they are subject to the same University rules and regulations that apply to on-campus usage. In particular, users must adhere to Pacific’s Information Technology Policies including its Acceptable Use Policies (AUP) see Appendix 1. 5. VPN users will be disconnected from PacificNet after 15 minutes of inactivity. Pings or other artificial means used to bypass this time limit are strictly prohibited. 6. VPN absolute connection times are limited to 8 hours. 7. All requestors must read and agree to these terms and condition before a connection is granted. 8. Data collected, stored, backed up, processed or accessed using this service must be protected according to University policies and procedures. 9. Confidential university data should not be stored on privately owned systems. 10. Proper data removal/destruction procedure must be followed for off-campus systems at the end of employment, any contractual arrangement, or cessation of the individuals VPN service. 11. IT Security Office may annually review VPN requests for validation and audit purposes. Enforcement All individuals granted access to PacificNet or VPN service must adhere to the service terms and conditions. If these terms and conditions are rd violated, PacificNet access will be revoked. Violations will also be reported to the users’ management, which may lead to the termination of 3 party services or legal action. University of the Pacific Restricted Access Page 1 Last Updated: 10/2/2012 Third (3rd) Party Network Access Request Form – v1.2 Continued Data Access Agreement Version 1.04 1) I understand and accept that being granted access to the University of the Pacific's (from now on referred to as Pacific) network and information systems involves my assuming considerable responsibility for maintaining the integrity and security of Pacific’s data. I am responsible for the privacy and confidentiality of any Pacific data to which I have access. Such data may include but is not limited to the student, financial, medical, and personnel records. 2) I will comply with all related University of the Pacific policies, including its Acceptable Use Policy. I will comply with all the applicable federal and state laws, including but not limited to FERPA, HIPAA, ECPA, USA Patriot Act, TEACH Act, GLBA and SEVIS. 3) I will not share any Pacific data with any third party without the express authorization from the Data Steward/Information Owner AND Pacific's IT Security Office or the Chief Information Officer. I understand that providing unauthorized access to Pacific data or information is in violation of applicable state and federal laws, as well as Pacific’s Information Technology Policies. 4) I agree to keep all Pacific data that I collect, store, back-up, process or otherwise access secure by following accepted practice for secure use. For example, proper utilization of screen blanking, idle system timeouts, password standards, data encryption, anti-virus software, secure document storage and the shredding printed outputs, etc. 5) I agree to return or destroy all Pacific data in my possession upon the cessation of access to Pacific systems. I agree to immediately notify Pacific if my stewardship of Pacific data or my system access has been, or might have been, compromised. In case of reasonable suspicion or actual threat, I will immediately contact the University of the Pacific Helpdesk at 209-946-7400. 6) For remote access, I agree to sign and be bound by the terms and conditions of Pacific’s Virtual Private Network Service. (To be attached to this agreement) 7) I understand the term of access granted will be limited to the dates indicated in the access request form and is not to exceed 180 days. Long term access, beyond a 180 day term, may be requested by Pacific’s sponsoring division/unit but must be fully documented, justified and submitted to the IT Security Office for review. I understand that violating these terms and conditions may result in my access being revoked without notice and could include additional legal action. University of the Pacific Restricted Access Page 2 Last Updated: 10/2/2012 Third (3rd) Party Network Access Request Form – v1.2 Continued Instructions 3rd Party Network Access & VPN Request Form          Read the service terms and conditions rd Complete the 3 Party Data Section Have your sponsoring department/unit complete the Pacific Sponsor Authorization section Sign and date the form Deliver signed request form to the Pacific Human Resources Department Human Resources will initiate the account creation process and will forward the documentation to the CSC for processing The CSC will forward the request to the IT Security Office for review and approval Network access will not be granted until approvals are obtained Please allow for up to 5 business days for processing each request rd 3 Party Data: Please Print Required Access Start Date: rd 3 Party Data (Requestor to Complete) COMPANY: Required Access Expiration Date: ADDRESS: LAST NAME: FIRST NAME: PHONE: CAMPUS: TITLE: (Circle all that apply) VPN ACCESS REQUIRED? EMAIL: STK SFO SAC YES / NO (Circle one) I have read the service terms and conditions and agree to abide by the policies outlined therein. IT Security (Official Use Only) Pacific Sponsor Authorization SIGNATURE: DATE: Sponsoring Department/Unit Authorization: Please Print LAST NAME: FIRST NAME: DEPARTMENT / UNIT: CAMPUS: (Circle all that apply) rd STK SFO SAC rd I approve the access requested for the above 3 Party. When the 3 Party leaves the university, I will notify OIT to terminate network access. APPROVAL SIGNATURE: DATE: REVIEWED BY: HEAT # SCHEDUELED FOR REVIEW University of the Pacific Restricted Access EXT: DATE: DATE: Page 3 Last Updated: 10/2/2012 Third (3rd) Party Network Access Request Form – v1.2 Continued Appendix 1 Acceptable Use Policy Revision approved by Academic Council, February 8, 2007, Administration, March 19, 2007 POLICY: The University’s Computing and Communications Resources shall be used securely, respectfully, cooperatively in support of the University’s Mission. Definition: Computing and Communications Resources include all electronic technology used to store, copy, transmit, or disseminate visual, auditory, and electronic information as well as the information contained therein. This includes, but is not limited to, computers, networks, phones, fax machines, copiers, PDAs, cell phones and the information contained in them. Support of the University’s Mission The University provides Computing and Communications Resources to faculty, students, staff and others solely for the purposes of supporting teaching, learning, scholarship, service and administration within the context of the University’s mission. 1. The University is a non-profit, tax-exempt organization and, as such, is subject to a number of pieces of legislation regarding sources of income, political activities, use of property, etc. The University prohibits use of University information and University Computing and Communications Resources for commercial purposes or financial gain not authorized under University Policy, partisan political activities not part of a class assignment, and for any activity prohibited by law. 2. Incidental personal use of Computing and Communications Resources, within the guidelines of this policy, is considered appropriate. Such permissible incidental personal use does not include hosting, ASP (Application Service Provider), ISP (Internet Service Provider), WSP (Wireless Service Provider) or other services for third parties. Incidental personal use does not include activities for financial gain unless such activities are authorized under University Policy. Incidental personal use does not include the use of institutional data which may be contained in or extracted from institutional computing and communications systems. Personal use is not incidental if it incurs a direct cost to the University. 3. Use of Pacific’s Computing and Communications Resources by students, living on campus, in support of approved experiential learning and/or in support of their duties as compensated employees is explicitly authorized, so long as such usage does not violate any part of this policy. Secure Use Users of University Computing and Communications Resources are responsible for taking appropriate steps to safeguard University and personal information, as well as University facilities and services. 1. Passwords and other authentication and authorization codes, cards or tokens assigned to individuals must not be shared with others. Authorized Users must not provide access to unauthorized users. Passwords should be chosen carefully to lessen the possibility of compromise. Users are responsible for all activity that takes place under their UserID(s). 2. Activity that may compromise the system integrity or security of any on or off-campus system is prohibited. This includes any type of unauthorized access or hacking. 3. Unauthorized monitoring of individual User activity, information and communications is prohibited. See the University’s Computing and Communications Confidentiality Policy. 4. Users must ensure the security of restricted, confidential, proprietary, licensed, copyrighted or sensitive information entrusted to their care or that may come into their possession. Security includes, as appropriate, protection from unauthorized disclosure, modification, copying, destruction or prolonged unavailability. Unless approved by the University Security Officer, users must not store non-university personal identification numbers including, but not limited to, Social Security Numbers, Credit Card Numbers, or Drivers License Numbers on unsecured devices or media, for any period of time. Respectful Use University Computing and Communications Resources should be used in a manner that respects the rights of others. 1. Users must abide by all local, state and federal laws. This includes all applicable Copyright laws and license agreements, especially software license agreements. 2. Users must abide by the University’s Policy Against Sexual and Other Unlawful Harassment. That Policy prohibits verbal and visual conduct of a harassing nature. Threatening, obscene or other offensive messages or graphics that would be deemed inappropriate in other contexts are prohibited. 3. Users must not attempt to represent themselves as someone else, mask their identity, or engage in computing or communication activities using another User’s UserID or other electronic credentials. Use of University resources for illegal conduct is prohibited. University of the Pacific Restricted Access Page 4 Last Updated: 10/2/2012 Third (3rd) Party Network Access Request Form – v1.2 Continued 4. Users accessing off-campus systems must additionally abide by the rules, regulations and acceptable use policies of those external systems. Given that User action may reflect on the University or the User themselves, ethical behavior, courtesy, civility and good etiquette is highly recommended. 5. Users are prohibited from using the logos, word marks or other official symbols of The University of the Pacific without authorization from Pacific’s Marketing and University Relations. This specifically includes any such usage in connection with electronic systems, services and communications, both internal and external. This does not include the usage on physical or electronic letterhead when used for official University business. Cooperative Use Users of University Computing and Communications Resources are expected to cooperate so that all Users may make maximum use of facilities and services in a shared environment. 1. The University provides Computing and Communications Resources to facilitate business and academic activities of the University. Incidental personal use must not interfere with University business and academic activities. This includes personal activities that use bandwidth, occupy storage space, or slow down processing of systems, networks, or other resources needed for University business and academic activities. 2. Users must not knowingly engage in activities that would impede the activities of others including the internal or external distribution of junk email (a.k.a. Spam), chain mail, viruses, worms, remote controllers or other malicious code, or other unofficial and/or unsolicited distributions, especially to persons you do not know. 3. Users should refrain from using sounds or visuals that may be disruptive to others in shared facilities. 4. Users may not connect any device to PacificNet or the phone system that compromises security or impacts performance for others. This includes, but is not limited to, the connection of wireless access points, switches, hubs, routers, or auto dialers, not authorized by the Office of Information Technology. 5. All Users share the responsibility of seeing that University Computing and Communications Resources are used securely, respectfully, cooperatively, ethically, and for their intended purposes. If policy questions arise or if suspected policy violations are encountered, Users should take no unilateral action, but must promptly notify and/or cooperate with the appropriate University officials. Contact [email protected] Sanctions It is the responsibility of each User to understand his or her privileges and responsibilities regarding Acceptable Use and to act accordingly. Users failing to abide by the University’s Acceptable Use Policy (AUP) may be subject to corrective action up to and including, dismissal, expulsion, and/or legal action by the University. While technical corrective action, including limiting user activity or removing information, may be taken in emergency situations by authorized Information Technology staff, other corrective action, technical and/or non-technical, will be taken in accord with applicable University policies and procedures. In particular, students who violate this policy will be referred to Judicial Affairs for judicial review. University of the Pacific Restricted Access Page 5 Last Updated: 10/2/2012